Internet of Things (IoT) is a new concept surrounding us every day. But security of IoT devices is defined by S in the abbreviation of the term. You may say “but there is no S in IoT”. Well, that is exactly my point.

In April, a casino was hacked through a thermometer, an IoT device which controls temperature of a fish tank located in the lobby. This is not an isolated incident. Mirai-like DDoS attacks that exploited vulnerability of IoT devices and turned them into bots created record-breaking amplified DDoS attacks by creating Tbps-level bogus traffic.

Your IoT Devices

A 2018 survey conducted by Ponemon Institute, The Internet of Things (IoT): A New Era of Third-Party Risk, shows that 21% experienced a breach caused by an unsecured IoT device that is 6% increase compared to previous year. Same percentage (21%) also valid from cyber attacks caused by IoT devices. 97% of the respondents believe that aftermath of a cyber attack related to an IoT device could be catastrophic to their organization.

Many organizations start to consider IoT devices as a third party cyber risk. It definitely increases the attack surface. While assessing the third party cyber risk, IoT devices should definitely be on the list. However, old-school questionnaire method does not suffice to conduct a proper assessment for these new technological devices. A third-party cyber risk assessment tool (such as NormShield Cyber Risk Scorecard), which extracts the digital footprint of an organization to determine its cyber exposure and provides security ratings for cyber risk assessment, can give better evaluation on the cyber risk posed by these devices.